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Description 

[0081] This invention relates to methods and systems 
for converting a first key value of a first communications 
system to a second key value of a second communica- 
tions system. 

[6002] FIG. 1 depicts a schematic diagram of first and 
second wireless communications systems which provide 
wireless communications service to wireless units (e.g., 
wireless units 12a-e) that are situated within the geo- 
graphic regions 14 and 1 6, respectively. A Mobile Switch- 
ing Center (e.g. MSCs 20 and 24) is responsible for, 
among other things, establishing and maintaining calls 
between the wireless units, calls between a wireiess unit 
and a wireline unit (e.g.. wireline unit 25), and/or connec- 
tions between a wireless unit and a packet data network 
(PON), such as the internet. As such, the MSG intercon- 
nects the wireless units within its geographic region with 
a public switched telephone network (PSTN) 28 and/or 
a packet data network (PON) 29, The geographic area 
serviced by the MSG is d iv ided into spatially distinct areas 
called "cells." As depicted in FIG. 1, each ceil is sche- 
matically represented by one hexagon in a honeycomb 
partem; in practice, however, each eel! has an irregular 
shape that depends on the topography of the terrain sur- 
rounding the ceil. 

[0083] Typically, each cell contains abase station (e.g. 
base stations 22a-e and 26a-e), which comprises the ra- 
dios and antennas that the base station uses to commu- 
nicate with the wireiess units in that ceil. The base sta- 
tions also comprise the transmission equipment that the 
base station uses to communicate with the MSG in the 
geographic area. For example, MSG 20 is connected to 
the base stations 22a-e in the geographic area 14, and 
an MSG 24 is connected to the base stations 26a-e sn 
the geographic region 16. Within a geographic region, 
the SvISC switches calls between base stations in real 
time as the wireless unit moves between cells, referred 
to as call handoff. Depending on the embodiment, a base 
stasson controller (BSC) can oe a separate base station 
controller (BSC) (not shown) connected to several base 
stations or located at each base station which adminis- 
ters the radio resources for the base stations and relays 
information to the MSG. 

C0OS4] The MSCs 20 and 2:4 use a signaling nstwors 
32, such as a signaling network conforming to the stand- 
ard identified as TIA/EIA-41 -D entitled "Cellular Radio- 
telecommunications Intersystem Operations,' 1 Decem- 
ber 1997 ("IS-41 "}, which enables the exchange of infor- 
mation about the wireiess units which are roaming within 
the respective geographic areas14and 16. For example, 
a wireless unit 1 2a is roaming when the wireless unit 1 2a 
leaves the geographic area 14 of the MSG 20 to which 
it was originally assigned (e.g. home MSC). To ensure 
that a roaming wireless unit can receive a call, the roam- 
ing wireless unit 1 3a registers with the MSC 24 in which 
it presently resides (e.g., the visitor MSC) by notifying 
the visitor MSC 24 of its presence. Once a roaming wire- 



less unit 12a is identified by a visitor MSC 24, the visitor 
MSC 24 sends a registration request to the home MSC 
20 over the signaling network 32, and the home MSC 20 
updates a database 34, referred to as She home location. 
s register (HtR), wish the identification of the visitor MSG 
24, thereby providing the location of the roaming wireless 
unit 12a to the home MSC 20. 

[OOOS] After a roaming wireless unit is authenticated, 
the horns MSC 20 provides to the visitor MSC 24 a cus- 

to tomer profile which indicates the features available to the 
roaming wireless unit, such as call waiting, caller id, call 
forwarding, three-way calling, and international dialing 
access. Upon receiving the customer profile, the visitor 
MSG 24 updates a database 38, referred to as the visitor 

<s location register (VLR), to provide the same features as 
the home MSC 20. The HLR, VLR and/or the authenti- 
cation center (AC) can be co-located at the MSG or re- 
motely accessed. 

\mm\ If a wireless unit is roaming between wireless 
20 communications systems using different wireless com- 
munications standards, providing the wireless unit with 
the same features and services in the different wireless 
communicafions systems is cosnpiex if even feasible. 
Thiers are currently different wireless communication 
•? 5 standards utilized in the U.S., Europe, and Japan, The 
U.S. currently utilizes two major wireless communica- 
tions systems with differing standards. The first system 
is a time division multiple access system (TDMA) and is 
governed by the standard known as iS-1 36, the second 
so system is a code division multiple access (CDMA) sy stem 
governed by the standard known as IS-95, Both commu- 
nication systems use the standard known as IS-41 for 
intersystem messaging, which defines the authentication 
procedure. 

as [0007] In TDMA, users share a frequency band, each 
user's speech is stored, compressed and transmitted as 
a quick packet, using controlled time slots to distinguish 
them, hence the phrase "time division". At the receiver, 
the packet is decompressed, in the IS- 1 36 protocol, three 

40 users share a given carrier frequency. In contrast, CDMA 
uses a unique code to "spread" the signal across the 
wide area of the spectrum {hence ttie alternative name 
- spread spectrum), and the receiver uses the same code 
to recover the Signal from the noise. A very robust and 

■*£ secure channel can be established, even for an extreme- 
ly low-power signal. Further, by using different codes, a 
number of different channeis can simultaneously share 
the same carrier signal without interfering with each oth- 
er. Both CDMA and TDMA systems are defined for a 

so Second Generation (2Q) and Third Generation (3G) 
phases with differing requirements for user information 
privacy or confidentiality. 

[0008] Europe utilizes the Global System for Mobiles 
(GSM) network as defined by the European Teleeommu- 
55 nieatlorts Standard institute (ETSi), GSM is a TDMA 
standard, with 8 users per carrier frequency. The speech 
is taken in 20 msec windows, which are sampled, proc- 
essed, and compressed. GSM is transmitted on a 900 
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MHz carrier. There is an alternative system operating at 
1 .8 GHz (DCS 1800), providing additional capacity, and 
is often viewed as more of a persona! communication 
system (PCS) than a cellular system. In a similar way, 
the U.S. has also implemented DCS-1 900, another GSM 
system operating on the different carrier of 1 .9 GHz. Per- 
sona! Digital Cellular (PDC) is the Japanese standard, 
previously Known as JDC (Japanese Digital Celiuiar). 
PDC is a TDMA standard similar to the U.S. standard 
known as iS-54 protocol. 

[0009] The GSM network utilizes a removable user 

identification module (UIM) which is a credit card size 
cafd which is owned by a subscriber, who slides the UIM 
into any GSM handset to transform it into "their" phone. 
I! will ring when their unique phone number is dialed, calls 
made will be billed to their account: ail options and serv- 
ices connect: voice mai! can be connected and so on. 
People with different UIMs can share one "physical" 
handset, turning it into several "virtual" handsets, one per 
(JIM. Similar to the U.S. systems. She GSM network also 
permits ''roaming", by which different network operators 
agree to recognize {and accept) subscribers from other 
wireless communications systems or networks, as wire- 
less units {or UIMs) move. So, British subscribers can 
drive through France or Germany and use their GSM 
wireless unit to make and receive calls (on their same 
UK number), with as much ease as an American busi- 
nessman can use a wireless unit in Boston, Miami, or 
Seattle, within any one of the U.S. wireless communica- 
tions system. The GSM system is defined as a Second 
Generation {2G> system. 

[001 0] The third generation (3G) enhancement of the 
GSM security scheme is defined in the Universal Mobile 
Telecommunications Service (UMTS) set of standards, 
and specifically for the security in the standard identif ied 
as 3GPP TS-33.102 "Security Architecture" specifica- 
tions. This security scheme with slight variations will be 
used as a basis for the worldwide common security 
scheme for ail 3G communications systems, including 
UMTS, TDMA, and COMA. 

[0011] The 2G GSM authentication scheme is frustrat- 
ed sn FIG. 2. This authentication scheme includes a home 
location register (HLR) 40, a visiting location register 
(VLB) 50, and a wireless unit or mobi le terminal (MT) 80, 
which includes a UfM 82. When the mobile terminal 60 
places a call, a request is sent to the home location reg- 
ister 40, which generates an authentication vector AV, 
also called "triplet" {RAND, SRES, K,.) from a root key 
K r The triplet includes a random number RAND, a signed 
response SRES, and a session key K,.. The triplet is pro- 
vided to the visiting location register 60, which passes 
She random number RAND to the mobile terminal 60, Trie 
UIM 82 receives the random number RAND, and utilizing 
the root key K ; , the random number RAND, and an algo- 
rithm A3, calculates a signed response SRES. The UIM 
82 also utilizes the roof key K, and the random number 
RAND, and an algorithm AS to calculate the session key 
K c , The SRES, calcula-ed by the UIM 82. is returned to 



the visiting location register 50. which compares this val- 
ue from the SRES received from the home location reg- 
ister 40, in order to authenticate the subscriber using the 
mobile terminal 30. 

■j [001 2] in the GSM "challenge/response'" authentica- 
tion system, the visiting location register 50 never re- 
ceives the root key K; being held by the UIM 32 and the 
home location register 40. The VLR 50 also does not 
need to know the authentication algorithms used by the 

w HLR 40 and UIM 62, Also, in the GSM authentication 
scheme, the triplet must be sent for every phone call by 
the home location register 40. RAND is 128 bits. SRES 
is 32 bits, and is 84 bits, which is 224 bits of data for 
each request, which is a significant data load. The main 

is focus of this description is the 64 bits long K T session 
ciphering key which is used for user Information confi- 
dentiality. When the mobile terminal roams into another 
serving system while in the call, the session key Kq is 
forwarded from the old VLR to the new target serving 

so system. 

[091 3] FIG. 3 shows the UMTS security scheme which 
is an enhancement to the 26 GSM scheme. Similar to 
the GSM scheme, when the mobile terminal 90 places a 
call, a request is sent to the home location register 70, 

ss which sends an authentication vector-AV to the Visited 
Location Register (VLR) 80 which contains five elements 
instead of the three elements of a triplet, and therefore 
is caiied "quintuplet". This vector contains the 128 bit 
RAND, the 64 bits SRES, the AUTlM value which carries 

•» the authentication signature of the home network, and 
two session security keys: the 128 bit ciphering key CK 
and the 1 28 bit integrity key iK. These iaiter two keys, 
CK and IK, are the focus of ihis description. 
[0014] The vector is provided to the visiting location 
register 80, which passes Ihe random number RAND and 
Ihe AUTN to the mobile terminal 90, The UIM 92 receives 
the random number RAND, and utilising the root key Kj. 
the random number RAND, and an defined algorithmic 
functions, validates the AUTN and calculates a signed 

*o response SRES. The UIM 92 also utilizes the roof key K ; 
and ihe random number RAND and defined algorithmic 
functions to calculate the session keys CK and IK. The 
SRES, calculated by the UIM 92. is returned to the visiting 
location register 80, which compares this value from the 

*s SRES received from the home location register 70 in or- 
der to authenticate the subscriber using the mobile ter- 
minal 90. A focus of this description are the 1 28 bits long 
session ciphering key CK and 128 bits long session in- 
tegrity key IK which are used for user information confi- 

$0 derrtiality and session integrity protection . Once the sub- 
scriber is successfully authenticated, the VLR 80 acti- 
vates the CKand IK received in this authentication vector, 
if the mobile terminal roams into another serving system 
whiie on ttie call , the CK and i K are sent to the new target 

55 serving system. 

[001 5] The 2G iS-41 authentication scheme, used In 
U.S. TDMA and CDMA systems, is illustrated in FIG. 4. 
This authentication scheme involves a home location 
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register (HLR) i 00, a visiting location register (VLR) 1 1 0, 
and a mobile terminal (fvTF) 120, which cars include a UiM 
1 22. The root key, known as the A_key, is stored only in 
the HLR 1 00 and the Ul ivt 1 22. There is a secondary key, 
known as Shared Secret Data SSD. which is sen! to the 
VLR 110 during roaming. SSD is generated from the 
A_key using a cryptographic algorithm. The procedure 
for generating the SSO is described elsewhere and is 
known to those skilled in the art . When the MT 1 20 roams 
to a visiting network, the VLR i to sends an authentica- 
tion request to the HLR 100, which responds by sending 
that subscriber's SSO. Once the VLR 1 10 has the SSD, 
it can authenticate the MT 1 20 independently of the HLR 
100, or with the assistance of the HLR 1 00 as is known 
to those skilled in the art. The VLR 1 1 0 sends a random 
number RAND to the UiM 122 via the MT 120, and the 
UIM 122 calculates the authentication response (AU- 
THR) using RAND and the stored value of SSD in UIM 
122. AUTHR is returned to the VLR 110, which checks 
it against the value of AUTHR that it has independently 
calculated in the same manner, it the two AUTHR values 
match, the MT 1 20 is declared valid. This p rocess repeats 
when the wireless unit attempts to access the system, 
for instance, to initiate a call, or to answer a page when 
the call is received. 

[001$] in these cases, the session security keys are 
also generated To generate session security keys, the 
internal state of the computation algorithm is preserved 
after the authentication calculation. Several session se- 
curity keys are then calculated by the UIM 122 and the 
VLR 1 1 0 using 8*ie current value of SSD, Specifically, the 
520 bits Voice Privacy Mask (VPM) is computed, which 
is used for concealing the TDMA speech data throughout 
the calf. This VPM is derived at the beginning of the call 
by the UiM and VLR. and. if the mobile roams into another 
serving system during the call, the VPM is sent to the 
new serving system by the VLR. When the caii is con- 
cluded, the VPM is erased by both the UiM and the serv- 
ing VLR. Likewise, the 64 bits Signaling Message En- 
cryption Key (SMEKEY) is computed, which is used for 
encrypting the TDMA signaling information throughout 
the caii. This SMEKEY is derived at the beginning of the 
caii Dy the UiM and VLR, and, if the mobile roams into 
another serving system during the call, the SMEKEY is 
sent to the new serving system by the VLR, When the 
caii is concluded, the SMEKEY' is erased by both the UiM 
and the serving VLR. 

[0017] The 2G COMA scheme uses a similar method 
of key distribution, except, instead of the 520 bits VPM, 
it is using the 42 Least Significant Bits (LSB) of the VPM 
as a seecs into the Private Long Code Mask (PLCM). This 
PLCM is used as an additional scrambling mask for the 
information before its spreading. The 42-bit PLCM is con- 
sistent throughout the caii and is sent to the new serving 
system by the VLR if the mobile roams into another serv- 
ing system. The SMEKEY is used in the same way as in 
She TDMA based scheme. 

[001 8] The iS-41 3G security scheme uses the UMTS 
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security scheme, which is based on the delivery of the 
128-Dits ciphering key CK and 128-bits integrity key IK 
to the visited system VLR, while the same keys are com- 
puted by the UiM. 

5 [001®] Key conversions as a wireless unit roams be- 
tween communications systems should be performed in 
a way that even if tower security of 2G schemes and 
algorithms is compromised and partial keys are recov- 
ered by the i ntruder, the 3G session keys would stilt main- 

w tain the same level of security. Such conversions: will al- 
low a subscriber to "roarrs globally" maintaining the se- 
curity of communications data and integrity of communi- 
cations session. 

£G02S| MENEZES: 'Handoook of applied cryptogra- 
ms phy* 1 997, ORG PRESS LLC, US XP0021 91 21 3 teaches 
that a key-encrypting key K may be modified in a peruse 
basis by a counter N, In particular, the key-encrypting K 
may be modified by the counter N by performing K (B N. 
£0021] According to one aspect of this invention there 
20 is provided a method as claimed in claim 1 . 

[0022] According to another aspeci of this invention 
there is provided a key conversion system as claimed sn 
claim 3. 

[S023] The present invention is a key conversion sys- 

«5 tern for deierministicaisy and reversibiy converting a first 
key value of a first communications system into a second 
key value of a second communication system. For ex- 
ample, the key conversion system generates a first in- 
termediate value from at least a portion of the first key 

30 value using a first random function. At least a portion of 
the first intermediate value is provided to a second ran- 
dom function to produce a second value. An exclusive-or 
is performed on at least a portion of the first key value 
and at ieast a portion of the second value to generate a 

•*s second intermediate value. At least a portion of the sec- 
ond intermediate val ue is provided to a th ird random func- 
tion to produce a third value. By performing an exciu- 
sive-or on at ieast a portion of the third value and at least 
a portion of the first intermediate value, the key corrver- 

40 sion system produces at least a first portion of the second 
key value, and at least a second portion of the second 
key value is produced as the second intermediate value. 
The key conversion system is deterministic in that, given 
a first key value, a wireless unit and the wireless com- 

*s rnunicaf ions system will determ ine the same second key 
value without requiring an exchange of information, 
[0024] The key conversion system is reversible or 
bi-directional in that, if the wireless unit is handed off back 
to the first communications system, the second key value 

so of the second communications system is converted back 
to the first key value of the first communications system. 
For example, the key conversion system provides the at 
least second portion of the second key value to the third 
random function to produce the third value. The first tn- 

55 termediate value Is generated by performing an exciu- 
sive-or on the first portion of the second key value and 
the third value. Using the second random function, the 
key conversion system generates the second value- from 
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the first intermediate value and produces at least a por- 
tion of the first key by performing an exelusive-or on the 
second vaiue and tile second portion of the second key 
vaiue. The key conversion system provides improved se- 
curity because even if almost ali of the second key vaiue 
is known, the first key vaiue cannot easily be recovered. 
Similarly, if almost ail of the first key vaiue is known, the 
second key vaiue is not easiiy recovered. 

: S£SCRSPTIGN Of THE DRAWINGS 

[0O25J Other aspects and advantages of the present 
invention may become apparent upon reading the follow- 
ing detailed description and upon reference to the draw- 
ings in whicfr. 

F;G 1 shows a genera! diagram of wireless commu- 
nications systems for which a key con version system 
embodying the present invention cars be used; 
RG. 2 is a block diagram illustrating the basic com- 
ponents of the prior art 2G globe! system for mobiles 
(GSM) network and security messages transmitted 
in the 2G GSM network; 

FIG. 3 is 8 block diagram illustrating the basic com- 
ponents of the prior art 3G UMTS network and mes- 
sages transmitted In the 3G UMTS network; 
FIG. 4 is a block diagram illustrating the basic com- 
ponents of the prior art 2G tS-41 network and mes- 
sages transmitted in the prior art 2G 1S-41 network; 
FIG. 5 is a block diagram illustrating how a user 
roams from a 2G TDMA network into a generic 3G 

FIG. 8 is a block diagram illustrating how a user 
roams from a generic 3G network into a 2G TDMA 
network; 

FIG. 7 is a block diagram illustrating how a user 
roams from a 2G COMA network into a generic 3G 
network; 

FIG. 8 is a block diagram illustrating how a user 
roams from a generic 3G network into a 2G COMA 

FIG. 9 is a block diagram illustrating how a user 
roams from a 2G GSM network into a generic 3Q 
network; 

FIG, 10 is a block diagram illustrating how a user 
roams from a generic 3G network into a 2G GSM 
network; 

FIG. 1 1 is a flow diagram of an embodiment of the 
forward conversion for the key conversion system; 

FIG. 1 2 is a flow diagram of an embodiment of the 
reverse conversion for the key conversion system, 

DSrAii. £S3 SESCftiPT iON 

IG02SJ An illustrative embodiment of the key conver- 
sion system is described below which provides an im- 
proved key conversion for a wireiess unit which roams 



between first and second wireiess communications sys- 
tems. Trie key conversion system deterministicaify and 
reverssbly converts an m bit key value of a first commu- 
nications system into an n-bft key value of a second com- 

s rnsjriication system. In certain embodiments, the key con- 
version system use three random functions f, g and h 
where random functions f and g map an m bit input string 
into an o-m bit string resembling a random number, and 
the random function h maps an n-m bit string into an m 

io bit string resembling a random number. A random func- 
tion maps inputs to outputs such that the outputs are 
unpredictable and random looking given the input, in the 
embodiments described below, the random functions are 
random o racies where every time an input is given if maps 

« to the same output. Additionaliy, in the embodiments de- 
scribed below, the random functions are publicly known. 
For example, the random functions are known by the 
wireless communications system (s) involved in the inter- 
system handott and the wifeless unit 

so [0027] The key conversion system is deterministic in 
that, given an m-bst key vaiue, a. wireless unit and the 
wireless communications system wifi determine the 
same n-bit key value without requiring an exchange of 
information. The key conversion system is reversible or 

23 bi-dtrecttonaf in that, if the wireiess unit is handed off back 
to the first communications system, the n bit key of the 
second communications system is converted back to the 
m-bii key of the first communications system. The key 
conversion system provides improved security because 

so even if almost ail of the n bit key value is known, the m 
bit key value cannot easiiy be recovered. Similarly, if al- 
most ail of the m bit key value is known, the n bit key 
value is not easiiy recovered. 

Depending on the embodiment the key conver- 
ts sion system can provide secure, deterministic and bi-di- 
rectional key conversion when a wireiess unit roams be- 
tween two wireiess communications system, such as be- 
tween an older communications system and a newer 
communications system. For example where the same 

to reference numerals indicate like -components, the 1S-41 
3G security scheme of FIG. 5 converts, at the VLR 80 
and at the wireless unit 120 (or 122), the 520-bitS VPM 
in combination with the 64-bits SMEKEY received from 
the VLR 110 to the 128-bit CK and/or i 28-bit IK when 

*5 trte wireless unit roams into the 3G system from the 2G 
TDMA system. Conversely, as shown in FSG. 6, the SS- 
41 3G security scheme converts, at the VLR 80 and the 
wireless unit 90 (or 32), the 1 28-bit CK and/or the 1 28-bit 
(K to the 520-bits VPM in combination with the 64-bits 

so SMEKEY when the wireless unit roams into the 2Q TDMA 
system from the 3G system. The VLR 80 provides the 
VPM and the SMEKEY to the VLR 110. 
[0028] As shown in FIG. ?. (S-41 3G security scheme 
converts, at the VLR 80 and at the wireless unit 120 (or 

ss 122), the 42-bits PLCM in combination with the 64-bits 
SMEKEY received from the VLR 110 to the 128-bit CK 
and/or the 138- bit IK when the wireiess unit roams into 
the 3G system from the 2G CDMA system. Conversely, 
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as shown in RG. 8, ihe (S-41 3G security scheme con- 
verts, at the VLR 80 and at She wireiess unit 90 (or 92), 
the 128- bit CK arid 1 28-bit IK to the 42-biis PLCM in 
combination with the 64-biis SMEKEY when She mobile 
roams into the 26 CDMA system from the 3G system. 
The VLR 80 provides the PLCM and the SMEKEY to the 
VLR 110. 

[g©38] As shown in FIG. 9. the UMTS 3G security 
scheme converts, at the VLR 80 and at the wireiess unit 
60 (or 82), the 64-bit Kc received from the VLR 50 to the 
128-bit CK and/or the 128-bit !K when the wireiess .unit 
roams into the 3G UMTS system from the 2G GSM sys- 
tem. Conversely, as shown in RG. 1 0. the UMTS 3G 
security system converts, at the VLR 80 and at the wire- 
iess unit 90(or 92), the 128-bit CK and/or the 128-bit iK 
to the 64-bit K c when the wireiess unit roams into the 2G 
GSM system from the 3G UMTS system- The VLR 80 
provides the K c to the VLR 50. 
{0031 j Accordingly, in certain embodiments, a wireless 
unit that supports enhanced subscriber authentication 
(ESA> and enhanced subscriber privacy (ESP) in a first 
communications system, such as a newer 3G communi- 
cations system, may implement multiple privacy modes 
to enable the wireiess unit to provide privacy using older 
algorithms in a second communications system, such as 
an older 2G TDMA communications system. Such a wire- 
iess unit can provide other forms of privacy after inter- 
system handoff to an MSG for an older second commu- 
nications system thai does not support ESP. When hand- 
off to the oider second communications system is re- 
quired, the key conversion system can convert the key 
values for the newer first communications system to the 
privacy keys needed for the older privacy algorithms sup- 
ported by the oider second communications system. The 
keys for the second communications system can be sent 
to the target MSG of the second communications system 
from the MSG of the first communications system . Since 
the key conversion system is deterministic, the wireiess 
unit will also have the keys for the second communica- 
tions system by performing the same conversion as the 
first communication system using the key conversion 
system of the present invention. 
[00321 The key conversion system maps a key (s) from 
a first system into a key(s) of a second system and back 
again. For example, when performing an intersystem 
handoff between a 3G communications system and a 2G 
TDM A system, the key conversion system can map a 
cipher key CK into a VPMASK/SMEKEY (VS) pair, in this 
embodiment, the key conversion function possesses the 
following properties: 1) A 128 bit GK is mapped into a 
584 bit VS; 2} The function is reversible and maps back 
a 584 bit VS into a 128 bit CK; and 3) The function Is 
secure in the sense that partial knowledge of the 584 bit 
key will not allow the adversary to recover the CK. nor 
wiii partial knowledge of f 28 bit key CK allow the adver- 
sary to recover the 584 bit VS. In certain instances, for 
example wnen the call originates in a first comm unication 
system having a larger key value than the target second 



communications system, the conversion system maps 
the key value of the first communication system to a key 
value of a second communications system. However, if 
the wireiess unit returns to the first communications sys- 

s tern, the key conversion system maps the second key 
value to a subsequent key value for the first communi- 
cations system which is not necessarily the same as the 
original key value. Subsequent handoffs back to the first 
communications system from the second communica- 

io Sons system produce a key value which is she same as 
the subsequent key value. 

[0633] For example, when performing an imersystem 
handoff for a call originating with a 2G TDMA system to 
a 3G system, the key conversion system can map VP- 

?5 MASK/SMEKEY (VS) pair into a cipher key CK. in this 
embodiment, the key conversion function maps the 584 
bit VS into the 128 bit CK. if the wireless unit is handed 
back to the 2G TDMA. system, the conversion system 
maps back the 128 bit CK into the 584 bit VS, but the 

so new 584 bit VS may not be the same as the original 584 
bit VS. Subsequent handoffs to the 2G TDMA system 
from the 3G system will maintain the new 584 bit VS. 
Although this should not effect the security or operation 
of the wireiess unit, the 1 28 bit CK is maintained the same 
ail along tn this embodiment. 

[0834] in this embodiment, the key conversion system 
includes conversion functions available at the MSC in 
ihe newer system and as the wireiess unit which wiii con- 
vert key values, for a first communications system, such 

so as ESP keys, into key values of a second communica- 
tions system, such as keys used for older privacy algo- 
rithms, in this example, the conversion function should 
convert ihe 1 28 bit CK key in the new first communication 
system to VPMASK/SM EKEY (VS) keys for the oider 

35 second communication system, VPMASK is composed 
of 260 bits mask for each direction and SMEKEY is 64 
bits iong, for a total of 584 bits to be used by the older 
communication system. In case of an intersystem hand- 
off from the old communication system to the new com- 

& munication system, it may be useful for the conversion 
function, to be reversifoie. The old communication system 
does not know about the new com munication: svstem and 
wit! transfer ail 584 bits to the new communication sys- 
tem. The new communication system upon receiving the 

45 584 bit key will realize that it needs to recover the 128 
bit GK. and hence wiii compute ihe CK from the 584 bit 
key. 

[0035? The VS keys created at the wireless unit and 
the MSC should be the same. This means the calculation 

so of ihe VS keys must be based soiely on CK and any other 
quantities known by both the MSC and ihe wireless unit. 
Otherwise, any new quantities (e.g. random number) 
would have to be exchanged between the wireiess unit 
and the MSG prior to the conversion. The key conversion 

ss system does not require the exchange of information be- 
tween the wireless unit and the new MSC and determirs- 
istic.aSfy maps a CK io VS keys and VS keys to a CK key. 
[Ct03$j Additionally, weaknesses in the old coromuni- 
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cations system should not make the new communica- 
tions system weak. One can achieve this by making the 
key conversion function cryptographicaiiy one way, so 
that even if the entire key of the old communication sys- 
tem, sucn as the V'S key in this example, is revealed, the 
adversary cannot: recover the key of the new communi- 
cation system, such as the CK key in this example. How- 
ever, this will make the system non-reversible and, as 
previously noted, the key conversion system should be 
reversible. Nevertheless, the key conversion system cars 
be reversibie and still provide almost ail of the security 
of a non -reversible function . The security of the key con- 
version system in this example prevents an adversary 
from recovering any part of the GK key even if almost ali 
of the V'S key is revealed except a smaii part. The adver- 
sary can guess the small part, but he should not be able 
to do any better. This aspect is important because parts 
of VPMASK may be somewhat easy to recover, and the 
entire VPMASK may bs easier to recover than the 5ME- 
KEY. Yet if some part of the old system is hard to recover 
than the adversary will not know anything about CK. A 
similar security can apply to CK so that a partial knowl- 
edge of CK should not tell the adversary anything about 

vs" 

JOOS73 in certain embodiments, the conversion func- 
tion has two modes, the forward conversion and the re- 
verse conversion, in the example of roaming from the 3G 
communications system to the 2G TDMA communica- 
tions system, the forward conversion takes the 12S bit 
randomly created CK key and expands it to 584 bit VS 
key. The reverse conversion function takes the 584 bit 
VS keys and maps it to a 128 bit CK key. In this embod- 
iment, the forward conversion function is composed of 3 
random functions f. g and n which map a given input into 
a random output, in thisennbodiment, these are not secret 
functions but public random functions known to every- 
body, including the adversary. These public random func- 
tions are referred to as random oracles in the literature. 
These random oracles can be implemented using hash 
junctions and block ciphers as described beiow. In this 
example, the three random functions are f, g, h where f 
and g map a 128 bit input into a 456 bit random value, 
and h maps a 458 bit input into a 128 bit random vaiue. 
[0038] FIG. 11 shows a flow diagram of an embodi- 
ment of the forward conversion of the key conversion 
system for converting an m-bii key value KEY1 of a first 
communications system into an n-bit key vaiue KEY2 of 
a second communications system. The m bit KEY1 is 
provided to a random function f (block 200) which maps 
an m-bit string into an n-m bit random number or first 
intermediate vaiue R In the example of roaming from the 
3G communications system to the 2G TDMA communi- 
cations system, the conversion system converts a 128 
bit key CK into a 584 bit key (VPMASK, SMEKEY}. The 
128 bit key CK is provided to the random function f {200) 
wh ich maps the 1 28 bit CK into a 458 bit random n umber 
or first intermediate value R. The intermediate value R 
is provided to a random function h (block 210) which 



maps an n-m bit string into an m bit random number. The 
m-bit output of the function h {210} is subject to an ex- 
clusive-ot (XOR 220) with the m bit KEY1 to produce an 
m-bit second intermediate vaiue T. In the example of 
s roaming from the 3<* communications system to the 2G 
TDMA communications system, the 458 bit intermediate 
value R is provided to the function h (21 0). The function 
h (210) maps the 456 bit value R to a 128 bit random 
number which is XORed with the 128 bit CK to produce 
a 128 bit second intermediate vaiue T, 
£0039] in the embodiment of FIG. 1 1 , the m-bit inter- 
mediate value T is provided to a random function § (block 
230). The random function g (block 230) maps an m bit 
stnng to an n-m bit random number which is subject to 
>s an exciustve-or (XOR 240) with the n-m bit intermediate 
vaiue R to produce an n-m bit key value V which can be 
used as a Key, keys or portion(s) of key(s). in this em- 
bodiment, the vaiue V is a portion of the value K.EY2 
which can be used as a key, keys or portson(s) of key(s). 
-«> In this embodiment, the n bit key KEY2 includes the n-m 
bit value V along with the m bit second intermediate vaiue 
T. in the example of roaming from the 3G communica- 
tions system to the 2G TDMA communications system, 
the random function g (230) maps the 1 28 bit intermedi- 
ns ate value T Into a 456 bit random number which is subject 
to the exclusive-or (XOR 240) with the 458 bit Interme- 
diate vaiue T to produce the 456 bit key vaiue V. The 456 
bit vaiue V and the 128 bit intermediate vaiue T form the 
584 bit key vaiue KEY2 which in this example can be 
30 divided into the VPMASK and the SMEKEY for 2G TDMA 

The forward conversion of the GK of the 3G 
system to the VPMASK and SMEKEY of the 26 TDWA 
system can be written according to the following steps, 

1. R = f(CK) /* create a 458 bit value from 1 28 bit CK 
by applying f 7 

2. T=h(R)XORCK 1* create a 1 28 bit value using h V 

3. V =g(T) XOR R /- create a 456 bit value using g V 
*o 4. Output T,V r output the 584 bit vaiue 7 

[0041] FIG. 12 shows a flow diagram of an embodi- 
ment of the reverse conversion of the key conversion 
system for converting the rs-bit key vaiue KEYS of the 

45 second communications system back into the m-bit key 
vaiue KEY1 of the first communications system... In this 
embodiment the n bit key vaiue KEYS is divided into an 
n-m bit first portion or value V and an m-bit second portion 
or value T. The m-bit value T is provided to the random 

so junction g (block 250) which maps an m-bit string tnto an 
n-m bit random number. The n-m bit random number is 
subjected to an exciusive-or (XOR 280) with the n-m bit 
key value V to produce the n-m bit fsrst intermediate value 
R. In the example where the wireiess unit roams back to 

55 the 2G TOMA system from the 3G system, the conversion 
system converts the 584 bit key (VPMASK, SMEKEY) 
into a 128 bit key CK, The 128 bit key value portion T is 
provided to She random function g (250) which maps the 
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128 bit T into a 458 bit random number. The 458 bit ran- 
dom number exciusive-ORed (XOR 260) with the 456 bit 
key value Vto produce the 458 bit first intermediate value 
R. 

im&l in the embodiment of FIG. 1 2, the n-m bit first 
intermediate value R is provided to a random function h 
(riot* 270). The random function h (block 270) maps an 
n-m bit string to an m bit random number which is subject 
io an exclusive-or (XOR 280} wish the m bit key value T 
to produce an m bit Key value KEY1 which can be used 
as a key, keys or portson(s) of key(s). in the examate 
where the wireless unit roams back io the 20 TDMA sys- 
tem from the 3Q system, the random function h (270) 
maps the 458 bit intermediate value R into a 1 28 bit ran- 
dom number which is subject to an exctusive-or (XOR 
280) with She 128 bit Key value T Io produce the 1 28 bit 
key CK. 

[0043] The reverse conversion of the VRMASK and 
SMEKEY of the 2G TDMA system to the CK of the 3G 
system can be written according to the following steps. 

1 . Set T,V to 584 bit input /* T is 128 bit part, V is 
456 bit part V 

2. R = g(Ti XOR V /* create 458 bit value R using T, 

3. CK = h(R) XOR T 

[0Q44] The random functions f, g and h can De impte- 
mented using hash functions and/or block ciphers. To 
implement the random functions ?, g, and h, which can 
be referred to as random oracies, cyptographte hash 
functions, such as the functions known as known as SHA- 
1 , M05, RiPE-MD, can be used to instantiate the random 
functions f, g, h. A hash function can be typically charac- 
terized as a function which maps inputs of one length ta 
outputs of another, and given an output, ft is not feasible 
to determine the input thai will map to the given output. 
Moreover, it is not feasible to find two inputs which will 
mapto the same output En using a SHA-1 hash function, 
each call to the SHA-1 hash function has a 1 60 bit initial 
vector (IV) and takes a 512 bit Input or payioad which is 
mapped into a 160 bit output The IV is set to the IV 
defined in the standard for SHA-1 hash function. The 
payioad will contain various input arguments: SHAfType, 
Count, input, Pad) where Type is a byte vaiue which de- 
fines the various functions f, g, h. Function f and g wiit 
call SNA multiple times, and Count is a byte value which 
differentiates the multiple calls, input is the input argu- 
ment to the functions f, g« or h. Pad is zeroes to fill ihe 
remaining bit positions in the 51 2 bit SHA payioad. Below 
is an example procedure for implementing the random 
functors i, g and h using a hash function routine referred 
to as SHA. 

SHA(type.eounf, input, pad) 
S(CK): SBA(1, 1,CK, pad) 
SHA(1,2, CK, pad) 
SHA(1 , 3, CK. pad) mod 2 A 1 36 



h(R): SHA(2. f , R, pad) mod 2*126 
g(T): SHA(3, 1.T, pad) 
SHA(3. 2. T, pad) 
SHA(3. 3. T, pad) mod 2 A f 38 
5 Block ciphers, like AES, can be used to create func- 
tions f, g, and h. 

f(CK)-. £ CK (1); E CK (2): £^(3); E CK <4) mod 2*72; 
hiR); E K0 (Rt XOR 5) XOR E K0 (R2 XOR 6} XOR E K0 
(R3 XOR 7) XOR 
w E K0 {R4XOR8) 

g{T): E T (9); E T (10); E T (11); E T (12) mod 2*72; 

where in ffCK), CK is used as the key in the block cipher 
and 512 bit stream is produced by encrypting 1...4 in 

ts counter mode The last encryption is truncated from 1 28 
bit to 72 bit to get the needed 456 bits. In h(R), a public 
key K0 is used to encrypt the parts of 456 bit R and the 
resulting ciphertexts are exclusive-ored together. R1 , R2, 
and R3 are 1 28 bit values and R4 is the remaining 72 bit 

so value of R, padded with zeroes to complete 1 28 bits. 
[0045] Thus, the key conversion system provides bi-di- 
rectional, deterministic and secure conversion of a key 
(s) or portion(s) thereof between first and second com- 
munications systems. The key conversion system is se- 

■25 cure in the forward direction in that given most of the 
output KEY2 (for exam pie. T,V), an adversary cannot 
recover KEY1 (for example. CK). in the example with the 
2G TDM A and 3G systems, if ail of T and most V except 
say 54 bits are known, then parts of R can be recovered, 

so but not all of R by caicuiating R = g(T) XOR V. An attempt 
can be made to recover some of CK by performing CK 
- NR) XOR T. However, since all of R is no! known, even 
a bit of information about h(R) cannot be recovered, as- 
suming ft is a random function. Hence no information can 

35 be recovered about CK. Similarly, if ali of V and part a! 
T are known, except say 64 bits of T, then no information 
about CK can be recovered. Since we do not know all of 
T, the intermediate value R cannot be calculated using 
g(T) XOR V. Thus without the intermediate value R, no 

4 o progress can be made in recovering any information 
about CK. 

[0046] Similarly, the key conversion s-ystem is secure 
In the reverse direction in thai given most of the output 
KEY1 (for example, CK), an adversary cannot recover 

4S KEY2 (for example, T, V). in ins example with the 2Q. 
TOtvt.A and 3G systems, if a part of GK Is known, no in- 
formation about T.V can be recovered. Since we do not 
know ali of CK, the intermediate value R cannot be cal- 
culated using f(CK). Thus without the Intermediate value 

so R, no progress can be made in recovering any informa- 
tion about T.V. 

[0047] in addition to the embodirnent(s) described 
above, the key conversion system can be used which 
omit and/or add input parameters and/or random func- 
ss ttons or other operations -and/or use variations or portions 
of the described system, For example, the key conver- 
sion system has been described as converting between 
n bit key of a first communication system and an m bit 
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key of a second comrnunteatfons system using random 
oracles f , g and h where the random oracies f and g map 
an m bit string to a n-m bit random number and the ran- 
dom oracfe h maps a n-m bit string to art m bit random 
number. However, different random functions can be 
used as well as different or additional functions which 
map x bit strings to y bit random numbers and/or map y 
bit strings to x bit random numbers where x or y can be 
equal to n-m or m. Additional, the m bit key value for 
the first communications system can be a key, keys or 
portion ss ! thereof, and the n bit key value for the second 
communications system can be a key. keys or portionCs) 
thereof. For example, the example with the 2Q TDMA 
and 3G systems, the conversion is between the 1 28 bit 
CK of the 3G system and the 584 bit key value for the 
SM EKEY and VPMASK of the 2G TDM A system , but the 
conversion could be between a 2S6 bit key value of CK 
and LK of the 3G system and the 584 bit key value for the 
SMEKSY and VPMASK of the 2Q TDM A system. 
[0048J in the example described above, a forward con- 
version is from the m bit key value of the first communi- 
cations system to the n bit key value of the second com- 
munications system where the first communications sys- 
tem corresponds to the new system and the second com- 
munications corresponds to the old system anci where 
m<n. However, depending on the embodiment, the first 
communications system can be oider, and the second 
communications system is newer. Alternatively, the for- 
ward conversion can be the conversion of the smaller 
size key vaiue of one communications system to the larg- 
er bit size key value of another communications system, 
and the reverse conversion is the con version of the iarger 
bit si2e key value to the smaller Sim key vaiue. Depend- 
ing on the embodiment, the conversion of different, larg- 
er, smaller and/or the same size(s) of key value(s) be- 
tween the different communications systems are possi- 
ble. 

[0049] Furthermore, the key conversion system can 
be used to handie the infersystem harcdoffs described in 
the FiGs 5-1 0 to convert a key, keys or portion(s) thereof 
from one communications system to the key, keys or por- 
tions) thereof of another communications system. It 
should be understood that different notations, references 
and characterizations of the various values, inputs and 
architecture blocks can be used. For example, the func- 
tionality described for the key conversion system can be 
performed in a home authentication center, home ioea- 
tion register (HLR) , a home MSG, a visiting authentication 
center, a visitor location register (VLB) and/or in a visiting 
MSG. Moreover, the key conversion system and portions 
thereof can be performed in a wsreiess unit, a base sta- 
tion, base station controller, MSG. VLB, HLR or other 
sub-system of the first and/or second communications 
system . it should be understood that the system and por- 
tions thereof and of the described architecture can be 
implemented In or integrated with processing circuitry in 
the unit or at different locations of the communications 
system, or in application specific integrated circuits, sott- 
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ware-driven processing circuitry, programmable logic de- 
vices, firmware, hardware or other arrangements of dis- 
crete components as would be understood by one of or- 
dinary skill in she art with the benefit of this disclosure. 

s What has been described is merely illustrative of the ap- 
plication of the principles of the present invention. Those 
skilled in the art will i eadily recognize that these and vas - 
soiis other modifications, arrangements and methods can 
be made to the present invention without sirtaiiy following 

10 the exemplary applications illustrated and described 
herein and without departing from the scope of the 
present inversion. 
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1. A method of converting a first key value (key 1) for 
a first communications system to a second key vaiue 
(key 2) of a second communications system, said 

eo method CHARACTERIZED BY: 

generating a firs! intermediate value (R) from at 
least a portion of said first key value (key 1 } using 
a first random function (f); 

S3 providing at ieast a portion of said first interme- 

diate value (R) to a second random function (h) 
fo produce a second value; 
performing an exciusive-or (220) on at ieast a 
portion of said first key value (key 1 ) and af least 

38 a portion of said second value to generate asec- 

ond intermediate value (T); 
providing af ieast a portion of said second inter- 
mediate value (T) fo a third random function (g) 
to produce a third value; and 

55 producing at ieast a first portion of said second 

key value (key 2) by performing an exciusive-or 
(240) on at ieast a portion of said third vaiue and 
at ieast a portion of said first intermediate vaiue 
(R). 

2, The method of claim 1 CHARACTERIZED BY: 

producing at least a portion of said second in- 
termediate value (T) as at least a second portion 
*s of said second key vaiue (key 2), 

3, The method of claim 1 CHARACTERIZED IN THAT 

said generating comprises the step of: 

so providing said first key vaiue (key 1 ) of m bits fo 

a first random function (?) to produce said first 
intermediate value (R) of n-m bits. 

4. The method of c!a ; m 3 CHARACTERED IN THAT 
55 said first steps of providing and performing comprise: 

providing said n-m bit first intermediate value 
(Ft) to a second random function (h) to produce 
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an m bit ■second value; and 
performing an exciusive-or (220) on said m bit 
tirst key value (key 1} and said rn bit second 
value to generate said second intermediate val- 
ue (T) with rn bits. 

The method of claim 4 CHARACTERISED IM THAT 
said second step of providing and said step of pro- 
ducing o 



providing said m bit second intermediate value 
(T) to a third random function (g) to produce a 
n-m bit third vaiue; and 

performing an exclusive or (240) on said n-m bit 
third value and said n-m bit first intermediate val- 
ue (R) to generate an n-m bit tirst portion (V) of 
said second key value (key 2). 

S, The method of cfaim 5 CHARACTERIZED SY: 



of sard Tirst key value f key 1 1 and at least a oor- 
tion of said second value to generate a secona 
intermediate value {T}. jo arc-vide at least a por- 
tion of saso second intermediate value if) to a 
tnird random function tgho produce a ihsrd value 
ana to oroduce as seast a first portion of said 
second key value (key 2) dv subjecting at least 
a portion oi said torn value so an exctusive-or 
(240) with at least a portion or saia firs? interme- 
diate value (R). 

saso orocessinq circuitry is configured to produce at 
least a portion of said secona intermediate vaiue (T) 
as at least a second portion of said second kev vaiue 
(key 2), 
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providing said m bit second intermediate value 
(T) as an m bit second portion of said second 
key value (key 2) having n bits. 

The method of claim 2 CHARACTERIZED BY the. 

providing said second portion (T) of said second 
key value (key 2) to said third random function 
(g) to produce said third vaiue; and 
generating said first intermediate vaiue (B) by 
subjecting a first portion (V) of said second key 
value (key 2) to an exciusive-or (260) with said 
third value. 

The method of claim 7 further CHARACTERIZED 



using said second random function (h) to gen- 
erate said second value from said first interme- 
diate vaiue (R); and 

producing at least a portion of said first key by 
subjecting said second vaiue to an ©xclusive-or 
(280) with said second portion (T) of said second 
key vaiue (key 2) , 

A key conversion system for converting a first key 
value (key 1} for a first communications system to a 
second key value (key 2) of a second communica- 
tions system said system CHARACTERIZED 8Y: 

processing circuitry adapted to generate a first 
intermediate value (R) from at least a portion of 
said first key value (key 1) using a first random 
function (f) to provide at least a portion of said 
first intermediate vaiue (R) to a second random 
function (h) to produce a second value, to per- 
form an exciusive-or (220) on at least a portion 



Precede de conversion d'une premiere vaieur de cle 
(cie 1 ) d'un premier systeme de communications en 
une deuxieme vaieur de cie (cie 2} d'un deuxieme 
systeme de communications, iedit precede etant 
CARACTERfSE PAX : 

la generation d'une prem iere vaieur intermediai- 
re <R) a parttr d'au moins une partie de ladite 
premiere vaieur de cie (cle 1) au moyen d'une 
premiere foncfion aleatoire (f) ; 
la toumlture d'au moms une partie de ladite pre- 
miere vaieur intermediaire (R) a une deuxieme 
foncfion aleatoire (h) afin de produire une 
deuxieme vaieur ; 

I'execufion d'un ou exclustf (220) sur au moins 
une partie de ladite premiere vaieur de cle (cle 
1 ) et au moins une partie de ladite deuxieme 
vaieur afin de generer une deuxieme vaieur in- 
termediaire (T) ; 

ia fourniture d'au moins une partie de ladite 
deuxieme vaieur intermediaire ft) a une troisis- 
rne foncfion aleatoire (g) afin de produire une 
troisieme vaieur ; et 

ia production d'au moins une premiere partie de 
tadite deuxieme vaieur de cle (cie 2) en execu- 
tant un ou exciusif (240) sur au moins u ne partie 
de ladite troisieme vaieur et au moins une partie 
de ladite premiere vaieur intermediaire (R). 

Precede selon ia revindication 1 , CARACTER3SS 
PAR : 

la production d'au moins une partie de iadife 
deuxieme vaieur intermediaire (T) en tant qu'au 
rnosns une deuxieme partie de ladite deuxieme 
vaieur de cle (cie 2). 

Precede selon fa revindication 1 . CARACTERiSE 



10 



19 

EN CE QUE iadite generation comprend i'etape de : 

fourniture de Sadste premiere vaieur de cle (cie 
!)dera bits a une premiere fonciion aieatoire 
(f) afin de produire ladite premiere vaieur inter- 5 
mediaire (R) de n-m bits. 

4. Precede selon la revsndication 3, CA8ACTSRISS 
EN CE QUE lesdites premieres etapes de fourniture 

et d'execution comprennent : w 

ia fourniture de ladite premiere vaieur mterme- 
diaire de n-m cits (R) a one deuxierne fonciion 
aieatotre (ft) afin de produsre une deuxierne va- 
ieur de m bits ; et *s 
S'exeeution d'un ou exciusif (220) sur ladite pre- 
miere vaieur de de de m bits (cle 1) et ladite 
deuxierne vaieur de m bits afin de generer iadite 
deuxseme vaieur intermediaire (T) avec m bits. 

5. Precede seion ia revertdication 4, CARACTERISE 
EM CE QUE ladite deuxierne etape de fourniture et 

ladite etape de production comprennent : 

ia fourniture de ladite deuxierne vaieur interme- 
diaire de m bits (T) a une troisieme fonction aiea- 
totre (g) afin ae produire une troisieme vaieur de 
n-m bits ; at 

I'executtoo d'un ou exciusif (840) sur ladite troi- 
sierne vaieur de n-m bits et ladite premiere va- 30 
ieor snterrneo iaire de n -trr bits ( R > afin de generer 
une premiere partie de n-m bits (V) de iadite 
deuxierne valsur de cle (cle £'). 

6. Precede selon la revendicatfon 5, CARACTERISS 

PAR: 

ia faurniture de ladite deuxierne vaieur interme- 
diate de m bits (T) en tant que deuxierne partie 
de m bits de iadite deuxierne vaieur de cie (cle *o 
2) ayant n bits. 

?. Procede seion la revendieation 2, CARACTSRISE 
PAR les etapes de : 

fourniture de iadite deuxierne partis (Tj de ladite 
deuxierne vaieur de cle (cie 2) a ladite troisieme 
fonction aieatoire (g) afin de produire ladite troi- 
sieme vaieur ; et 

generation de iadite premiere vaieur interme- so 
diaire (R) en soumsttant una premiere partie {V) 
de ladite deuxierne vaieur de cle (cie 2) a un ou 
exciusif (280} avec ladite troisieme vaieur. 

S. Precede selon la revendieation 7, CHARACTERISE ss 
w% outre PAR : 

('utilisation de ladite deuxierne fonction aieatoire 
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(n) afin de gensrer iadite deuxierne vaieur & par- 
ts' de ladite premiere vaieur intermediaire<R) ; et 

ia production d' au moins un e partie de iadite pre- 
miere cie en souroettant iadite deuxierne vaieur 
a un ou exciusif (280) avec iadite deuxierne par- 
tie (T) de iadrte deuxierne vaieur de cle (cie 2). 

9. Systems de conversion de des pour convertir urse 
premiere vaieur de cie (cle- 1) d'un premier systeme 
de communications en une deuxierne vaieur de cle 
{cie 2) d'un deuxierne systeme de communications, 
ledit systeme etant CARACTER1SE PAR : 

des circuits de traltement adaptes pour generer 
une premiere vaieur intermedials (R) a partir 
d'au moins une partis de iadite premiere vaieur 
de cie (cie 1 ) au moyen d'une premiere fonction 
aieatoire (f) afin de foumir au moins une partie 
de iadite premiere vaieur intermediaire <R) a une 
deuxierne fonction aieatoire <ft) afin de produire 
une deuxierne vaieur. executer un ou exciusif 
(220) sur au moins une partie de ladite premiere 
vaieur de cie (cle 1 } et au moins une partie de 
ladite d9u:«errie vaieur afin de generer une 
deuxierne vaieur intermediaire (T), foumir au 

termediaire (T) a une troisieme vaieur aieatoire 
(g) afin de produire une troisieme vaieur et pro- 
duire au moins une premiere partie de iadite 
deuxierne vaieur de cie (cle 2) en soumettant au 
moins une partie.de ladite troisieme vaieur a un 
ou exciusif (240} avec au moins une partie de 
iadite premiere vaieur intermediaire (Rf. 

10. Systems seion ia revendicatfon 9, CARACTERISE 
EN CE QUE lesdits circuits de traitement sont con- 
figures pour produire au moins une partie de iadite 
deuxierne vaieur intermediaire (T) en tant qu'au 
moins une deuxierne partie de ladite deuxierne va- 
ieur de cie (cle 3}. 



5*3tfj!f!ansfjrEer«s 

1 , Verfahren zum Umwandein sines erstert Sehiussel- 
wertes (Schiussel 1 ) fur ein erstes Kommunikations- 
system in einen zweiten Schiusselwert (Schiussel 2} 
eines zweiten Teiekommunikationssystems, ga- 
ksmrtzetehrist tiwch foigende Scfiritte: 

Srzeugert sines ersten- Zwischenwertes <R> aus 
mindastens einem Tet! des ersten Schlussel- 
wertes (Sehfussel 1 ) unter Verwendung einer er- 
sten Zufaiisiunkiion (f): 

Bereitstelien mindestens eines Tails des ersten 
Zwischenwertes (R) fur eine sweite Zufaiisfunk- 
tion (n) jum Erzeugen eines zweiten Wertes; 
Ourcfifiihren einer Eskiusiven-Otier-Funidion 
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(220) an mindestens einem Teii des ersten 
SchlQsselwertes (Schlussei 1) und mfodestens 
einem Tei! des zweiten Wertes zum Erzeugen 
sines zweiten Zwischenwertes (T); 



Bereitsteiien mindestsns sine 
ten Zwischenwertss (T) fur 6 
funktion <g) zurn Erzeugen ein 
und 



5 Teifs des zwel- 
ne dritte Zufaiis- 
ss dritten Wertes; 

arsten Tells des 



Erzeugen mindestens sines ere 
zweiten Schiusssiwertes (Schlussei 2) dyrcft 
Durchfuhren einer Exkiusiven-Gder-Funktton 
{240} an mindestens an era resides dritten Wer- 
tes und mindestens einem Teii des srsten Zwi- 
schenwertss (R). 



SchiOsselwertes (Schlussei 2) mit n Bit. 

Verfahren risen Anspruch 2. gs&eftsueisS-met 
dwreh folgende Sehritte: 

Bereitsteiien des zweiten Tells (T) des zweiten 
Schiusselweries (Sehiiissei 2) fOr die dritte Zu- 
fallstunkSon (g) zum Erzeugen des dritten Wer- 
tes; und 

Erzeugen des ersten Zwischenwertss (R) 

dureh Untarziahen des ersten Teiis (V) des 
zweiten Schiusseiwertes {SchfOssel 2) einer Ex- 
kiusiven-Qder-Funkfion (260) mit dem dritten 
Wert. 



Verfahren nach Anspruch 1, gefcsrawiehnet 
(Surcft Erzeugen mindestsns eirses Teils des zweiten 
Zwischenwertes (T) ais mindestsns sin zweiter Tell 
des zweiten Schlusselwertes (Schlussei 2). 

Verfahren nach Anspruch 1, dadurcfs gefcenn- 
sslchnst, daB das Erzeugen tolgertden Schritt um- 



Bereitstefien des ersten Schiusselweries 
(Schliissei 1) von m Bit zu einer ersten Zufails- 
funktion (f) zum Erzeugen des ersten Zwischen- 
wertes (R) von n-m Bit. 

4, Verfahren nach Anspruch 3, dsrctureft geksrsn- 
zeschnet, daS die ersten Schritfe des Berertsteliens 
und DufchSuhrens foigendes umfassen: 

Bereitstellen des ersten n-m-Bif-Zwisehenwer- 
tes (R) fQr sine zweite ZufaSlsfunklion (h) zum 
Erzeugen eines zweiten m- Bit- Wertes; una 
Ourchfiihfeo einer Exkiusiven-Oder-Funktion 
(220) an dem ersten m-Bit-Scbitisseiwert 
(Schlussei 1) und zweiten m-Sit-Wert zum Er- 
zeugen des zweiten Zwischenwertes (T) mit m 
Bit" 

Jj, Verfahren nach .Anspruch 4, dadurein gsksrm- 
zeichnst, daS dsr zweite Schritt dss Bersitsteilens 
und der Schritt des Erzeugens foigendes umfaSt: 

Bereitsteiien des zweiten m-Bit-Zwisehenwer- 
tes ff) fur eine dritte Zufailsfunklion (G) zum Er- 
zeugen eines dritten n-ovBit-Werfes: urvd 
Durchfuhren einer Exklusiven-Oder-Funktion 
(240) an dam dritten n-m-Bit-Weft und dero er- 
sten n-rn-Bif-Zwischenwert (R) zum Erzeugen 
eines srsten n-m-Bit-Teiis (V) des zweiten 
Schiusseiwertes (Schlussei: 2). 

8. Verfahren nach Anspruch 5, getefsraerehrssst 
durcfc Bereitsteiien des zweiten m--8it-Zwiscben- 
wertes (T) ais ein zweiter m-Bit-Tetl des zweiten 



Verfahren nach Anspruch 7, weiterhin gekenn- 
zetefcnet durefa 

Verwenden der zweiten Zufailsfunktson (h) zum Er- 
zeugen des zweiten Wertes aus dem ersten Zwi- 
schenweri (R); und 

Erzeugen mindestens sines Teiis des ersten Sch lus- 
sels cf«reh Untsrziehen des zweiten Wertes einer 
Ejfkiusiven-Oder-FunktioR (280) mit dem zweiten 
Teii (7) des zweiten ■Schiiisseiwertes (Schliisse! 2). 

Schiusselumwandlungssystem zum Urnwandein ei- 
nes ersten Schiiisseiwertes (Schlussei 1 ) tur ein ec- 
stes Kommunikationssystem in einen zweiten 
SchlOsselwert (SchlOsse! 2) eines zweiten Koromu- 
nmationssystems, gskennzsfchnet durcfc fotgen- 



Bearbeitungsschaltungen zum Erzeugen eines 
ersten Zwischenwertss (R) aus mindestens ei- 
nem Teii des ersten Schlusselwertes (Schitissel 
1 ) unter Verwendung einer ersten Zufailsfunkli- 
on (J) zur BereitsteSlung mindestens eines Teiis 
des ersten Zwischenwertes (R) fur eine zweite 
Zufallsfunktton (h) zum Erzeugen eines zweiten 
Wertes, zum Durchfuhren einer Exklusi- 
veo-Oder-Funktion (220) an mindestens einem 
Teii des ersten Schiusseiwertes (Schiussel 1 ) 
und mindestens einem Teii des zweiten Wertes 
zum Erzeugen eines zweiten Zwischenwertss 
(T), zum Sereitstelien mindestens eioes Teiis 
des zweiten Zwischenwertss (T) fur eine dritte 
Zufailsfunkticn (g) zum Erzeugen eines dritten 
Wertes und zum Erzeugen mindestens eines er- 
sten 'Veils des zweiten Schiusseiwertes (Schius- 
sei 2} dwrch Unterziehen mindestens eines 
Teils des dritten Wertes einer Exkiusi- 
yen-Gder-Fu nktion (240) mit mindestens einem 
Teii des ersten Zwisch en wertes (R). 

10. System nach Anspruch 9, tfedurcft geKenn2«ics v a« 
rest, daSdie Verarbeitungsschaitungeri zurn Erzeu- 
gen mindestens eines Teiis des zweiten Zwischen- 
wertss (T) ais mindestens ein zweiter TeiS des zwei- 
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n SchKisseJwertas (SchiusseS 2) konltguriert sl»d 
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